Singapore State Courts' digital files accessed illegally due to system loophole

A loophole in its criminal case filing system has resulted in 223 State Courts electronic documents to be accessed without authorisation, enabling accused persons to view court documents in other case files.
Written by Eileen Yu, Senior Contributing Editor

Singapore's State Courts has revealed that several digital documents have been accessed without proper authorisation due to a loophole in a filing system.

The Integrated Criminal Case Filing and Management System (ICMS) was used in court for criminal proceedings and to support an Accused Person online portal. The portal could be accessed by accused involved in a case through SingPass, which was the country's e-citizen account used to access e-government services and required 2FA (Two-Factor Authentication) login.

The State Courts said they were alerted to a potential system vulnerability on November 1 and, after investigating the matter, discovered 223 e-case files had been accessed by "a few accused persons" without authorisation.

"Immediate steps were taken to fix the vulnerability," the courts said in a statement Wednesday. "The e-case files had not been tampered with and the integrity of ongoing proceedings was not affected."

The courts noted that their initial findings revealed that the accused persons involved in the breached exploited the system loophole, while enabled them to view court documents in other online case files.

The affected documents were accessed during the year and had included data names, addresses, gender of the accused involved in the case, details about the offences, and status of the court case, according to local broadcaster Channel NewsAsia.

The State Courts said the matter had been reported to the police, which currently were investigating the breach, and their system vendor Ecquaria Technologies had deployed additional security measures to improve user access controls in the ICMS.

Launched in 2013, the system was used by multiple government agencies and organisations including the State Courts, Attorney-General's Chambers, law firms, law enforcement agencies, and Singapore Prison Service. It was tapped to manage the flow of criminal cases, spanning the start of the prosecution process when charges were filed to when a verdict was given and sentence passed.

The Accused Person online portal was added in 2017 to allow the accused involved to access their case details as well as upload documents into their case file to support court proceedings.

The State Courts said those affected by the security incident had been notified, via letters, of the unauthorised access.

In its statement, the State Courts did not say if they had reported the incident to Singapore's Cyber Security Agency, which was responsible for the nation's cybersecurity operations and regulations.

Under the country's Cybersecurity Act, owners or operators of critical information infrastructure (CII) must be responsible for securing their systems and will be held accountable should they breach any mandate laid out in the legislation. This included a "duty to report cybersecurity incident" in respect to the CII.

The act applies to nine key CII sectors including healthcare, government, and banking and finance.

In July, the personal data of 1.5 million healthcare patients in Singapore were compromised following a security breach in which hackers had gained control through a frontend workstation and gained access to SingHeath's database.

Editorial standards